In rare situations, you might want to use a VPN peer’s real IP
address on the inside network instead of an assigned local IP address. Normally
with VPN, the peer is given an assigned local IP address to access the inside
network. However, you might want to translate the local IP address back to the
peer-s real public address if, for example, your inside servers and network
security is based on the peer’s real IP address.
Cisco ASA 55xx introduced a way to translate the VPN client’s
assigned IP address on the internal/protected network to its public (source) IP
address. This feature supports the scenario where the target servers/services
on the internal network and network security policy require communication with
the VPN client’s public/source IP instead of the assigned IP on the internal
You can enable this feature on one interface per tunnel group.
Object NAT rules are dynamically added and deleted when the VPN session is
established or disconnected.
Because of routing issues, we do not recommend using this
feature unless you know you need it.
Only supports legacy (IKEv1) and AnyConnect clients.
Return traffic to the public IP addresses must be routed back to
the ASA so the NAT policy and VPN policy can be applied.
Only supports IPv4 assigned and public addresses.
Multiple peers behind a NAT/PAT device are not supported.
Does not support load balancing (because of routing issue).
Does not support roaming.